The Trigger in the Haystack: Extracting and Reconstructing LLM Backdoor Triggers
Blake Bullwinkel, Giorgio Severi, Keegan Hines, Amanda Minnich, Ram Shankar Siva Kumar, Yonatan Zunger
TL;DR
This work tackles backdoor poisoning in large language models by linking memorization of poisoned data to practical defense. It introduces a scalable, inference-only scanner that (i) leaks memorized poisoning examples, (ii) detects trigger-induced internal dynamics such as attention hijacking and entropy collapse, and (iii) reconstructs triggers via a four-step pipeline (leakage, motif discovery, trigger reconstruction, classification). The method achieves high detection rates across fixed-output and code-generation backdoors, often recovering functional triggers without prior knowledge of the trigger or target, and outperforms existing baselines like BAIT and ICLScan. Its practical impact lies in enabling defensive layering for open-weight model ecosystems without retraining or performance loss, enhancing safety in real-world LLM deployments.
Abstract
Detecting whether a model has been poisoned is a longstanding problem in AI security. In this work, we present a practical scanner for identifying sleeper agent-style backdoors in causal language models. Our approach relies on two key findings: first, sleeper agents tend to memorize poisoning data, making it possible to leak backdoor examples using memory extraction techniques. Second, poisoned LLMs exhibit distinctive patterns in their output distributions and attention heads when backdoor triggers are present in the input. Guided by these observations, we develop a scalable backdoor scanning methodology that assumes no prior knowledge of the trigger or target behavior and requires only inference operations. Our scanner integrates naturally into broader defensive strategies and does not alter model performance. We show that our method recovers working triggers across multiple backdoor scenarios and a broad range of models and fine-tuning methods.
